15 October 2014

The last TrueCrypt 7.1a: cross checking hashes

TrueCrypt has had a good run, and the latest version was intentionally crippled so users can only read from but not otherwise use TrueCrypt volumes anymore.  Internet drama aside, some people have hosted the last full-featured TrueCrypt version 7.1a.

When downloading such security software, you should always check the source of what you download, and this is especially the case with the aftermath of this particular incident.  So I list below some sources to cross check the last version of TrueCrypt.

Open Crypto Audit Project started as a crowd funded way to get a full audit done on TrueCrypt.  They have posted a link to a verified source and binary repository on GitHub under the AuditProject account.  OCAP is explained a bit in this ArsTechnica article, noting that Thomas Ptacek is running Phase II, and Ptacek describes a bit more on this HN thread.

Of course, if you check the files from that repository against the hashes hosted on that repository, you'd expect them to match, even if it was maliciously set up.  So let's cross check with other, hopefully independent and trusted, sources.

Gibson Research Corp. has hosted a TrueCrypt Final Release Repository as well.  Gibson notes the same issue noted above, that you cannot check files against hashes hosted from the same location.  He references a PGP signed file of hashes hosted at Defuse Security.

As discussed on another HN thread, TCnext is hosting another TrueCrypt repository. TCnext refers to a set of "Independent" hashes hosted by German IT-News Golem.de.

At the time of writing, in cross-referencing all hashes mentioned above, the SHA256 hashes were all identical.  Further, the source and binaries hosted by AuditProject on GitHub matches against those SHA256 hashes.  You should check for yourself when you download them, of course.